Commit 4467a370 authored by Matt Clarkson's avatar Matt Clarkson Committed by Cecilia Vela Gurovic

Bug 1789297: module/lti: Allow mahara to load in an iframe

behatnotneeded

Change-Id: I4d88cba9ca6bf9629a99203ac8ed1561e3d77c0d
parent 7d12ad38
......@@ -363,7 +363,7 @@ if (!defined('CLI')) {
header('Pragma: no-cache');
// Security headers. See https://www.owasp.org/index.php/List_of_useful_HTTP_headers
header('X-Frame-Options: SAMEORIGIN');
header('X-XSS-Protection: 1; mode=block');
header('X-Content-Type-Options: nosniff');
header('X-Permitted-Cross-Domain-Policies: master-only');
......@@ -372,6 +372,16 @@ if (!defined('CLI')) {
}
// Don't print precise PHP version as an HTTP header
header_remove('x-powered-by');
// Allow LTI to load in an iframe
if ($csp_ancestor_exemption = $SESSION->get('csp-ancestor-exemption')) {
header("Content-Security-Policy: frame-ancestors 'self' $csp_ancestor_exemption");
header('X-Frame-Options: ALLOW-FROM '. $csp_ancestor_exemption);
}
else {
header("Content-Security-Policy: frame-ancestors 'self'");
header('X-Frame-Options: SAMEORIGIN');
}
}
// Only do authentication once we know the page theme, so that the login form
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment